I've just got an AlertMe kit, and given there seems to be a problem with their website/control panel which is preventing me using the service, I thought I'd have a poke around the hardware side of things.

Turns out that the AlertMe Hub (at least the Nano that came with my Energy starter kit) runs Linux. There's a TTL serial connector on the board, which is nice and clearly marked. There's a similar port marked 'Modem' as well, presumably for the GSM modem in the Security Hub.

The pinout is fairly standard TTL, Pin 4 is GND, 2 is RX and 3 is TX. The port runs at 115200 baud.

If anyone has a guess at what the root password might be, or where to get the firmware blobs from, that'd be appreciated

Here, for your viewing pleasure, is the system from poweron to login prompt:

As a comparison to the Nano Hub, I soldered some header pins to the debug holes on an AlertMe Hub (full version, although this output was recorded while disconnected from it's comms board). Using a TTL-232R-3V3, pin 4 is furthest from the DEBUG label and follows the same order: Pin 4 is GND (Black), 3 is TX (Orange) and 2 is RX (Yellow). Again, the port runs at 115200 baud.

At first glance, one thing that is different is that there's twice as much memory in the full Hub - 64MB as opposed to 32MB in the Nano. I was also really impressed with the design of the Hub itself; the main board sits on one side, the comms board on the other, linked with a small ribbon cable. The battery backup is a set of Varta VH4000 cells made into a battery, which sits in a carrier in the centre of the Hub. Very neat - I also took some pics, which I'll try to upload somewhere.

robwalker wrote:My first thought is that AlertMe are very likely breaking the law if they're not making the source code available...

They will (or used to) make the GPLd source available. You had to e-mail a specific address which I can't recall and they sent the source to you. I have to say there wasn't anything of any interest because as they only have to supply the GPL stuff all you see in the code they have customised around Python etc.

Ok, so I did this for my Iris hub and got the following.... (same TTL pin order)

At the end, I don't get a login screen. It says ok, and then the terminal appears to put out garbage. I don't know if they change the terminal speed or what--- maybe it goes encrypted or something???!? Any ideas?

I just started messing with the Iris Hub, and have some progress to report. I'm on the console as wpiman was. I've found the configure command in 'hubos', which is -before- linux boots, allows you to change things, so i've suspended boot with 'wait', then used 'configure' to turn on SSH (and confirmed it is turned on after boot), and i've changed the linuxCMD line to break me into a busybox shell (which it did). I'm going to do some poking around now to see what I can find. I will report anything I find here.

So it dumps out the same public key you can query from the hub's 'webserver' and allows you to change certain things just like you can in the 'hubos' bootloader. The hub appears to have 'scp' on it, so i'm going to pull off some files for offline analysis.

I've also found 'hubapp' under /usr/bin, which by my guess is the main 'hub' process. I will continue to report any more findings (if anyone's interested).

In reference to the 'garbage' after boot. it appears that 'starting connectd', is referring to a having a modem connected to the serial port or similar.

I have access to the /etc/passwd and /etc/shadow file it would appear. I'll pull the file(s) offline to see if 'john the ripper' can have any fun with it.

I also found, that if it 'bricks' itself, the bootloader will download a new image from the imgserver and flash it and attempt to repair itself.

I edited the boot scripts so that it doesn't load connectd, and there's no garbage, so now i can watch the console..

I've successfully enabled SSH, as well as having a shell loaded and changed the root password, and have the 'alertme' hub process running... here's the output from it's log file:

Nice progress. What I am really hoping to figure out is how the Zigbee Sensors pair up with the device, and then use that knowledge to get them to pair up with a cheap USB Zigbee stick-- like what I got from Telegesis. Then I can pair the sensors to my PC directly and bypass the hub-- or possibly use the hub as a interface for Zigbee over the serial bus.

Hi guys, I'm playing around with the Alertme nanohub. I thought I'd share with the community a bit on how to get to the linux command prompt, as I was struggling to follow Sorphin's steps to get to the command line. Perhaps someone will find the steps handy

I struggled finding which pin numbers were what. It turns out pin 1 is the square pin! As stated before:

Pin 4: Ground
Pin 3: Rx
Pin 2: Tx
Pin 1: Unknown?

I used a 3.3V FTDI cable with the screen command to get an interactive terminal with many lines of history.

I think that's as far as I got with poking around. I'd like to see if I can replicate Sorphin's access to the Hubbapp program, I can't seem to find it. Next stage is to get SSH up and running and to see if I can get the default password. I'm planning to intercept traffic between the hub and the internet to see what's being sent. Ideally what I'd like to do is be able to scrape the power usage from the zigbee power meter.

duncanmcbryde wrote:Hi guys, I'm playing around with the Alertme nanohub. I thought I'd share with the community a bit on how to get to the linux command prompt, as I was struggling to follow Sorphin's steps to get to the command line.
<snip>
I think that's as far as I got with poking around. I'd like to see if I can replicate Sorphin's access to the Hubbapp program, I can't seem to find it. Next stage is to get SSH up and running and to see if I can get the default password. I'm planning to intercept traffic between the hub and the internet to see what's being sent. Ideally what I'd like to do is be able to scrape the power usage from the zigbee power meter.

My steps would be slightly different than yours since you're using an Alertme nanohub and I was using a Lowe's (AlertMe) IRIS hub.. it was a bit different.. and it doesn't have the same OS layout, different sw, etc.. The traffic to the 'servers' is SSL encrypted.. that's where I got nailed... Man in the Middle attack without being able to replace the certs is a real pain in the arse... I took all my stuff back because i was having too many issues compared to what it was worth with it being so tired into the "IRIS" service, tbh.

duncanmcbryde wrote:Hi guys, I'm playing around with the Alertme nanohub. I thought I'd share with the community a bit on how to get to the linux command prompt, as I was struggling to follow Sorphin's steps to get to the command line. Perhaps someone will find the steps handy
.
.
<snip>
.
.

I noted the output of configure, in case it may be useful to me or someone else

I started playing around with the alertme hub, but then Real Life (TM) got in the way and I set it aside for quite a while without progress. I'm attempting to dump the memory with the alterme hub, and now I'm truly outside my comfort zone I'm using the "dump" command in the boot environment and I'm seeing a lot of empty memory. The output looks like

4.1.1.1 Memory Map
The normal Boot ROM base address base is 0x8009_0000. It will alias on 16 kbyte intervals.
When internal boot is active, the Boot ROM is double decoded and appears at its normal
address base and at address 0x0000_0000. At address 0x0000_0000 plus the current offset,
the Boot ROM can write the BootModeClr bit to remap itself back to 0x8009_0000 plus the current
offset. Execution then continues with the instruction at the next Boot ROM address in
0x8009_0000 space.

I can either attempt to spend the next few days attempting to dump all the memory, or I could attempt to dump from some specific memory locations. However I'm not quite sure how to specify the dump locations I'm going to have a bit more of a play. Perhaps someone can point me towards some firmware dumping guide?

Here's the (incomplete) output of the dump command in Bzip2 format. I left the dump command run for about 20 hours while recording the terminal and saving to a text file. The uncompressed text file is 622 MB, which is a bit large to post! I tried uploading a bzip compressed file to this board, but it crashed. XZ has the best compression on linux and should work on unix systems and 7-zip. This board does not allow .xz files to be posted, so I uploaded it to dropbox.